Access control with IAM

Overview

Cyber Insurance Hub uses Identity and Access Management (IAM) to manage access to model resources. To grant access to a model resource, assign one or more IAM roles to a user, group, or service account. Cyber Insurance Hub permissions are incorporated into the IAM roles.

For more information about IAM roles, see IAM roles and permissions index.

Cyber Insurance Hub roles

Cyber Insurance Hub provides predefined roles that grant multiple permissions to specific Cyber Insurance Hub resources.

The following table lists the predefined roles for Cyber Insurance Hub, their description, and which permissions they include. Grant these roles at the organization level.

Role	Title	Description	Permissions
`riskmanager.admin`	Risk Manager Admin	All Cyber Insurance Hub permissions	`riskmanager.serviceaccount.create` `riskmanager.reports.get` `riskmanager.reports.list` `riskmanager.reports.create` `riskmanager.reports.delete` `riskmanager.reports.review` `riskmanager.reports.share` `riskmanager.operations.get` `riskmanager.operations.list` `riskmanager.operations.delete` `riskmanager.policies.get` `riskmanager.policies.list` `riskmanager.settings.get` `riskmanager.settings.update` `riskmanager.controlScoreBreakdowns.get` `riskmanager.controlScoreBreakdowns.list`
`riskmanager.editor`	Risk Manager Editor	Access to edit Cyber Insurance Hub resources (includes all permissions except for the ability to share or review a report)	`riskmanager.serviceaccount.create` `riskmanager.reports.get` `riskmanager.reports.list` `riskmanager.reports.create` `riskmanager.reports.delete` `riskmanager.operations.get` `riskmanager.operations.list` `riskmanager.operations.delete` `riskmanager.policies.get` `riskmanager.policies.list` `riskmanager.settings.get` `riskmanager.settings.update` `riskmanager.controlScoreBreakdowns.get` `riskmanager.controlScoreBreakdowns.list`
`riskmanager.viewer`	Risk Manager Viewer	Access to view Cyber Insurance Hub resources	`riskmanager.reports.get` `riskmanager.reports.list` `riskmanager.operations.get` `riskmanager.operations.list` `riskmanager.policies.get` `riskmanager.policies.list` `riskmanager.settings.get` `riskmanager.controlScoreBreakdowns.get` `riskmanager.controlScoreBreakdowns.list`
`riskmanager.reviewer`	Risk Manager Report Reviewer	Access to review/approve Cyber Insurance Hub reports	`riskmanager.reports.get` `riskmanager.reports.list` `riskmanager.reports.review` `riskmanager.operations.get` `riskmanager.operations.list`

Risk Manager Service Agent role

When you enroll in Cyber Insurance Hub, a service agent is created for you in the format of organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com. This service agent requires the riskmanager.serviceAgent role at the organization level. This role lets the Cyber Insurance Hub service agent retrieve the data needed from other Google Cloud services to generate Cyber Insurance Hub reports.

This Risk Manager Service Agent (roles/riskmanager.serviceAgent) role is a role that includes the following permissions:

Role Title Description Permissions

Role	Title	Description	Permissions
`roles/riskmanager.serviceAgent`	Risk Manager Service Agent	Access to retrieve data from other Google Cloud services needed to generate Cyber Insurance Hub reports.	`resourcemanager.organizations.get` Also, all permissions of the following roles are included: `cloudasset.viewer` `securitycenter.assetsViewer` `securitycenter.findingsViewer` `securitycenter.settingsViewer`

roles/riskmanager.serviceAgent

Risk Manager Service Agent

Access to retrieve data from other Google Cloud services needed to generate Cyber Insurance Hub reports.

resourcemanager.organizations.get

Also, all permissions of the following roles are included:

cloudasset.viewer
securitycenter.assetsViewer
securitycenter.findingsViewer
securitycenter.settingsViewer

To get the permissions that you need to grant the Risk Manager Service Agent role, ask your administrator to grant you the Organization Administrator (roles/resourcemanager.organizationAdmin) IAM role on your orginization. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to grant the Risk Manager Service Agent role. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to grant the Risk Manager Service Agent role:

resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy

You might also be able to get these permissions with custom roles or other predefined roles.

You can grant the Risk Manager Service Agent role to the service agent when you initially configure Cyber Insurance Hub. You can also grant the Risk Manager Service Agent role to a service agent by running the following CLI command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="serviceAccount:organizations-ORGANIZATION_ID@gcp-sa-riskmanager.iam.gserviceaccount.com" \
  --role="roles/riskmanager.serviceAgent"

Replace ORGANIZATION_ID with the numeric ID of your organization.

Cyber Insurance Hub custom roles

In addition to predefined roles, Cyber Insurance Hub supports the ability to create customized IAM roles. You can create a custom IAM role and assign that role one or more permissions. Then, you can grant the new role to your collaborators. Use custom roles to create an access control model that maps directly to your needs, alongside the available predefined roles offered by Google.

This document does not describe how to create a custom role. For in-depth information about custom roles and step-by-step instructions for creating a custom role, see Creating and managing custom roles in the IAM documentation.